Distinct RBAC Policy Rules

Posted on September 20, 2016 by Adam Young

The ever elusive bug 968696 is still out there, due, in no small part, to the distributed nature of the policy mechanism. One Question I asked myself as I chased this beastie is “how many distinct policy rules do we actually have to implement?” This is an interesting question because, if we can an automated way to answer that question, it can lead to an automated way to transforming the policy rules themselves, and thus getting to a more unified approach to policy.
Continue reading →

Mirroring Keystone Delegations in FreeIPA/389DS

Posted on September 19, 2016 by Adam Young

This is more musing than a practical design.

Most application servers have a means to query LDAP for the authorization information for a user.Â This is separate from, and follows after, authentication which may be using one of multiple mechanism, possibly not even querying LDAP (although that would be strange).

And there are other mechanisms (SAML2, SSSD+mod_lookup_identity) that can, also, provide the authorization attributes.
Continue reading →

Hierarchy of Isolation

Posted on September 15, 2016 by Adam Young

One way to understand threads, process, containers, and VMs is to look at what each level of abstraction provides for isolation.
Continue reading →

Generating Token Request JSON from Environment Variables

Posted on September 10, 2016 by Adam Young

When working with New APIS we need to test them with curl prior to writing the python client. I’ve often had to hand create the JSON used for the token request, as I wrote about way back here.Â Here is a simple bash script to convert the V3 environment variables into the JSON for a token request.

Continue reading →

Deploying Fernet on the Overcloud

Posted on September 5, 2016 by Adam Young

Here is a proof of concept of deploying an OpenStack Tripleo Overcloud using the Fernet token provider.

Continue reading →

Deploying Server on Ironic Node Baseline

Posted on September 2, 2016 by Adam Young

My team is working on the ability to automatically enroll servers launched from Nova in FreeIPA. Debugging the process has proven challenging;Â when things fail, the node does not come up, and there is little error reporting.Â This article posts a baseline of what things look like prior to any changes, so we can better see what we are breaking.

Continue reading →

Running Qemu/KVM without libvirt

Posted on August 29, 2016 by Adam Young

When I booted a VM yesterda, I noticed that there was a huge command line that showed up if I ran ps. I tried to run that by hand.Â It is huge, so I wrapped it with a script, but the command is not too bad to understand:Â everything that qemu needs to do needs to be passed in on the command line.

Continue reading →

Running Unit Tests on Old Versions of Keystone

Posted on August 16, 2016 by Adam Young

Just because Icehouse is EOL does not mean no one is running it. One part of my job is back-porting patches to older versions of Keystone that my Company supports.

A dirty secret is that we only package the code needed for the live deployment, though, not the unit tests. In the case of I need to test a bug fix against a version of Keystone that was, essentially, Upstream Icehouse.
Continue reading →

RBAC Policy Updates in Tripleo

Posted on August 16, 2016 by Adam Young

Policy files contain the access control rules for an OpenStack deployment. The upstream policy files are conservative and restrictive; they are designed to be customized on the end users system. However, poorly written changes can potentially break security, their deployment should be carefully managed and monitored.

Since RBAC Policy controls access to the Keystone server, the Keystone policy files themselves are not served from a database in the Keystone server. They are, instead, configuration files, and managed via the deployment’s content management system. In a Tripleo based deployment, none of the other services use the policy storage in Keystone, either.

In Tripleo, the deployment of the overcloud is managed via Heat. the OpenStack Tripleo Heat templates have support for deploying files at the end of the install, and this matches how we need to deploy policy.
Continue reading →

Diagnosing Tripleo Failures Redux

Posted on August 16, 2016 by Adam Young

Hardy Steven has provided an invaluable reference with his troubleshooting blog post. However, I recently had a problem that didn’t quite match what he was showing. Zane Bitter got me oriented.
Continue reading →

Adam Young's Web Log

The Notebook of a Programmer Climber Musician Ex-Soldier Woodworker and a few other things

Category Archives: Software

Distinct RBAC Policy Rules

Mirroring Keystone Delegations in FreeIPA/389DS

Hierarchy of Isolation

Generating Token Request JSON from Environment Variables

Deploying Fernet on the Overcloud

Deploying Server on Ironic Node Baseline

Running Qemu/KVM without libvirt

Running Unit Tests on Old Versions of Keystone

RBAC Policy Updates in Tripleo

Diagnosing Tripleo Failures Redux